Suppose you have a number of branch sites which need to connect to a hub site. Each branch site has a private dedicated circuit as its primary path and a routed VPN tunnel carried over a business-class broadband circuit as its secondary circuit.
Under normal conditions, all traffic from the site traverses the dedicated circuit. Should the dedicated circuit fail, all traffic (including Internet traffic) traverses the VPN tunnel over the Internet back to the main site. Internet traffic is routed via the main site rather than directly out to the Internet to ensure that is passes through a content filtering mechanism.
This design is fairly simple, but what if we need to provide Internet access for a guest wireless network as well? This guest traffic can not, for security reasons, be routed through the main office; it must be routed directly out to the Internet via the broadband circuit.
The first implication of this new requirement is that we will need two default routes: One for internal corporate traffic to follow back to the main site, via either the dedicated circuit or the VPN tunnel, and one for the guest network to follow directly out to the Internet. We can leverage VRF lite on Cisco IOS to accomplish this.
First, let's define our interfaces on the branch router:
- Gi0/0.10 - Corporate network (VLAN 10)
- Gi0/0.20 - Guest network (VLAN 20)
- Gi0/1 - Private MPLS connectivity to main office
- Gi0/2 - Broadband Internet access
- Tunnel0 - Backup VPN tunnel to main office
We'll create a VRF named Internet to hold the guest network and Internet interfaces and a default route. Corporate network routes will be kept in the global table. (This may be the inverse of what you would expect when employing a VRF, but it works quite well.)
ip vrf Internet ! interface GigabitEthernet0/0 no ip address ! interface GigabitEthernet0/0.10 description Corporate LAN encapsulation dot1Q 10 ip address 10.8.42.1 255.255.255.0 ! interface GigabitEthernet0/0.20 description Guest Wireless encapsulation dot1Q 20 ip vrf forwarding Internet ip address 192.168.1.1 255.255.255.0 ! interface GigabitEthernet0/1 description Private Circuit ip address 10.8.0.26 255.255.255.252 ! interface GigabitEthernet0/2 description Broadband Internet ip vrf forwarding Internet ip address 192.0.2.84 255.255.255.0 ! interface Tunnel0 description VPN Tunnel to Main Office ip address 10.16.0.26 255.255.255.252 tunnel source GigabitEthernet0/2 tunnel destination 18.104.22.168 tunnel protection ipsec profile VPN
Assume that a default route is being advertised via BGP over the private circuit, and a floating static default route has been configured pointing out the VPN tunnel in the global table. We just need to configure a static default route in the Internet VRF:
Router(config)# ip route vrf Internet 0.0.0.0 0.0.0.0 192.0.2.1
There's one piece of configuration left to make: Since we assigned Gigabit0/2 to the Internet VRF, and Tunnel0 is being sourced from that interface, we need to explicitly source Tunnel0 from that VRF:
Router(config)# interface tunnel0 Router(config-if)# tunnel vrf Internet
This command instructs the router to follow the Internet VRF routing table to reach the tunnel endpoint. It does not affect the forwarding of traffic within the tunnel, which is kept in the default routing table. (To change the forwarding VRF, you would use the command
ip vrf forwarding just as you would on a physical interface.)
Note: I've not included a complete configuration here: You would want to extend the interface configurations to employ NAT and probably some type of security control, such as IOS Zone-Based Firewall.